Restrict Non-Admin Access to Administration Portal

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Microsoft Azure Active Directory Restrict Non-Admin Access to Administration Portal

Risk level: Medium (not acceptable risk)

Rule ID: ActiveDirectory-015

Ensure that "Restrict access to Azure AD administration portal" policy is set to "Yes" within your Azure Active Directory (AD) settings to deny access to the Azure AD administration portal for all non-administrator users. This setting is limited to administration portal only and enabling it does not restrict access using PowerShell or another client such as Microsoft Visual Studio. By default, "Restrict access to Azure AD administration portal" is set to "No".

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The Azure Active Directory administrative portal provides access to sensitive or private information, therefore all non-admin users should be prohibited from accessing any Azure AD resource or information available on the administration portal in order to avoid data exposure.

Audit

To determine if non-admin users have access to Active Directory administration portal, perform the following actions:

Note: Fetching "Restrict access to Azure AD administration portal" configuration setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under Administration portal, check Restrict access to Azure AD administration portal setting configuration. If Restrict access to Azure AD administration portal policy is set to No, users without administrative privileges can use Active Directory (AD) administration portal to access directory data and resources, thus the current Azure AD user configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Restrict access to Azure AD administration portal" to "Yes", only Azure Active Directory administrators can get further access to administration portal, protecting AD data from unauthorized users. To enable the required setting, perform the following actions:

Note: Restricting non-administrator users' ability to access Active Directory administration portal using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under Administration portal, select Yes next to Restrict access to Azure AD administration portal setting to disable non-administrator users' ability to access Azure Active Directory administration portal.

06 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only the Active Directory users with an administrator role can access sensitive data available on the administration portal.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to restrict non-admin access to AD administration portal.